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SYSTEM FOR PROVIDING FINANCIAL SERVICES 

CROSS REFERENCE TO RELATED APPLICATIONS 

This application claims the benefit of United States Provisional 
Application No. 60/182,364, filed February 14, 2000, entitled "System For 
Providing Financial Services." 

BACKGROUND OF THE INVENTION 

Field of the Invention: 

The present invention relates to financial consulting; and more 
particularly, to an integrated computerized system for providing financial 
services. 

Description of the Prior Art: 

Freedom to choose how to invest money is a cherished, time-honored 
right. However, a good portion of the investing public is confused about 
investing. As a result, many people tend to utilize a minimal number of 
investment vehicles, usually those with which they are familiar. Oftentimes, 
these modes of investment may not be appropriate for the investors' needs or 
ultimate goals. 

Recognizing that they lack the basic principles of investing, some 
people turn to financial advisors for specialized investment advice. Typically, 
financial advisors utilize a number of disparate tools to formulate a discrete 
financial plan. These include financial planning calculators, review of 
historical market trends and yield calculations, and the like. In some 
instances, certain of these tools may be automated; others require manual use. 

The financial industry has identified the need to automate financial 
services. For example, U.S. Patent No. 5,132,899 discloses a computer data 
gathering and processing methodology that facilitates access to various data 
including investment performance, Securities Exchange Commission reports, 
and stock financial characteristics to produce a list of stocks for purchase for 
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investment and operating accounts. U.S. Patent Nos. 5,710,889 and 5,890,140 
disclose a device and system for electronically integrating a plurality of 
financial services from different geographical locations and in different time 
zones. 

There have likewise been developed a number of computerized 
financial advisory systems. U.S. Patent No. 5,918,217 discloses an interface 
which allows a user to interactively explore how changes in one or more input 
decisions, such as risk tolerance, savings level, and retirement age affect one 
or more output values such as the probability of achieving specified financial 
goals. Some of these tools are available over the Internet. For example, at 
<<http://www.armchairmillionaire.com/fivesteps/intro.html>> there is 
provided an interactive savings tool which explores how to build a million 
dollar portfolio based on total dollar inputs. 

In some instances, there have been attempts to integrate different 
automated financial tools. U.S. Patent No. 5,245,535 discloses a system for 
demonstrating and displaying different financial concepts which includes a 
central processing unit for processing financial information from numerical 
data and a display means for displaying the financial information in graphic 
and textual form. U.S. Patent No. 5,214,579 discloses a data processing 
system that manages, monitors and reports the growth of a participant's 
investment base with respect to progress in achieving a predetermined target 
amount. 

None of the patents or systems described above disclose a secure 
system having a myriad of integrated financial applications and tools. 

There accordingly remains a need in the art for an integrated system 
for providing financial services that can perform a number of different 
finance-related functions. It would be particularly useful if such a system 
could access real-time market data to provide timely financial advice. It 
would also be useful if this tool incorporated a financial planning application. 
The financial planning application would also be more useful if it had the 
ability to monitor and assist investor-mediated transactions in order to achieve 
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predetermined financial goals. The integrated system would also be useful if 
it were capable of allowing a user to move between workstations at different 
locations while maintaining the application entitlements and preferences of 
their own computer. 

SUMMARY OF THE INVENTION 

In accordance with the present invention, there is provided an 
integrated system for providing financial services comprising at least one 
workstation having a central processing unit and a video display screen; at 
least one host server; a communication system for transmitting information 
between a workstation and at least one host server; and an application 
interface operable on the workstation for accessing at least one finance-related 
software application. Advantageously, the system of the present invention 
provides timely, proactive financial advice. Investors are afforded the 
opportunity to set and achieve investment goals based on real-time financial 
data as well as upon a number of other finance-related applications. In 
addition, the system provides a user with the ability to monitor and assist in 
investor-mediated transactions. 

The computer-based financial consulting system of the present 
invention comprises stationary or remote computer hardware and specially 
integrated financial applications. Importantly, the integrated financial 
applications provide the system with the ability to process and view market 
data and research, provide financial planning, conduct transactions and 
monitor and assist investor-mediated financial activities. A number of other 
finance-related and office software applications may also be integrated into 
the system as well. 

Another aspect of the invention is a system for providing financial 
information to end users in a network environment having at least one 
workstation and a host computer comprising an application interface having 
means for selectively running and displaying a plurality of finance-related 
software applications simultaneously; and means for controlling the display of 
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the finance-related software applications; and an authentication system 
having: means for determining a set of finance-related software applications 
that a user is entitled to selectively run and display; and means for setting 
user preferences for the user based on a stored user preference profile. 

Yet another aspect of the present invention is a workstation with 
access to integrated financial applications and which is readily adaptable to 
the needs of the individual user operating the workstation. The workstation 
comprises a central processing unit; a video display screen; a communication 
system for communicating between the workstation and at least one host 
server; an application interface operable on the workstation for accessing at 
least one finance-related software application; and an investor monitoring 
system. The workstations can be used by financial advisors to review and 
research market conditions, assist with financial planning, monitor financial 
activities, and enter orders for the execution of security transactions. 
Advantageously, the workstations of the present invention provide an 
advanced technology platform with a stable, fast operating environment, easy 
accessibility and usability, and the flexibility of remote computing. 

The present invention also provides an authentication system for 
creating an application interface of a financial assistance system, the 
authentication system comprises means for allowing access to applications 
permitted by a user entitlement level; means for providing user preferences; 
and a system for controlling the access and the user preferences. The 
authentication system provides a mechanism by which a user may move 
between workstations and retain all of the attributes of their own computer, 
i.e., applications entitlement and user preferences. In this way, the system 
provides nomadic capability. 

BRIEF DESCRIPTION OF THE DRAWINGS 

The invention will be more fully understood and further advantages 
will become apparent when reference is made to the following detailed 
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description of the preferred embodiments of the invention and the 
accompanying drawings, in which: 

FIG. 1 is a block diagram of an integrated financial service system; 

FIG. 2 is a schematic representation of a workstation in accordance 
with the present invention; 

FIG. 3 is a block diagram of the software hierarchy; 

FIG. 4 is a video screen display illustrating the application interface 
and, in particular, calculator applications available from the start menu; 

FIG. 5 is a video screen display of a market data application; 

FIG. 6 is a video screen display depicting the client information 
applications available from the start menu; 

FIG, 7 is a video screen display illustrating the opportunities and 
event applications available from the start menu; 

FIG. 8 is a video screen display illustrating the print options available 
from the start menu; 

FIG. 9 is a video screen display illustrating the product and 
investment applications available from the start menu; 

FIG. 10 is a video screen display illustrating the research applications 
available from the start menu; 

FIG. 1 1 is a video screen display illustrating the support applications 
available from the start menu; 

FIG. 12 is a video screen display illustrating the applications 
available from the tools selection in the start menu; 

FIG. 13 is a block diagram of the authentication system; and 

FIGS. 14-16 are systems flow diagrams depicting operation of the 
authentication system. 



DETAILED DESCRIPTION OF THE INVENTION 

I. System and Components 

A. Software Overview 

B. Application Interface Overview 

C. Authentication System Overview 
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D. Workstation 

E. Host Server(s) 

II. Software 

III. Application Interface 

IV. Authentication System 

I. System and Components: 

The present invention provides specially integrated tools for 
processing and viewing market data and research, providing financial 
planning, conducting financial transactions and monitoring investor activities. 
Advantageously, the invention affords users the ability to offer timely, 
proactive financial advice based on real-time financial data and a myriad of 
finance-related applications. 

Referring to FIG. 1, an integrated system 10 for providing financial 
services is shown. The system comprises at least one workstation 20; at least 
one host server; a communication system 40 for transmitting information 
between a workstation 20 and at least one host server; and an application 
interface (shown in FIGS. 4-12) for accessing at least one finance-related 
software application. In a preferred embodiment, the finance-related software 
application comprises a real-time market data application and a financial 
planning application. System 10 of the present invention comprises computer 
hardware that can be used in a stationary or remote environment and specially 
integrated software for the provision of financial services. 

A. Software Overview: 

Advantageously, system 10 may incorporate a number of different 
software applications. In one embodiment, system 10 includes a set of 
software applications which can be used to process and view real-time market 
data and research, assist financial planning, and monitor and assist in 
investor-mediated financial activities. Other software applications used by 
system 10 preferably include browser-based interfaces for searching specific 
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documents and related information; searching financial information; 
providing e-mail; providing mechanisms to search the Internet; accessing 
annuity and mutual fund databases; and providing conventional office 
applications. In accordance with the present invention, investors are provided 
with high-quality, reliable advice. The stability, functionality, easy usability 
and flexibility of the integrated system of the invention provides timely, 
proactive advice and counsel, thereby furthering investor goals. 

As will be discussed, the software may reside in part on any of the 
servers or workstations shown in FIG. 1. 

B. Application Interface Overview: 

In a preferred embodiment, software applications are integrated with 
an application interface 60 (or controlled shell), shown in FIGS. 4-12, in a 
manner that enables a user to view one or more graphical displays from a 
given application. System 10 may also provide a multitasking environment in 
which more than one application can be simultaneously run and viewed by the 
user. In this environment, an interface may have two or more windows, each 
representing a different application governed by its own protocols distinct to 
that application. The user can move between different windows, without 
having to constantly enter and exit each application of interest. Depending on 
the particular needs or questions of the user, appropriate software applications 
can be accessed and utilized to generate financial information. For example, 
the user could request research on particular market sectors and specific 
equity positions within that sector. In a preferred embodiment, application 
interface 60 is operable on workstation 20 to access at least two finance- 
related software applications, e.g., a real-time market data application and a 
financial planning application. Real-time market data can be utilized in 
conjunction with financial planning applications in order to provide 
comprehensive financial assistance. In another instance, the user may desire 
to monitor the activities of his or her client through an investor monitoring 
system. Here, the user could intercede in an order entered by the client or. 
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alternatively, contact the client to discuss the ramifications of a particular 
order. Preferably, a scratchpad interface for moving information between the 
different software applications is also provided. 

C. Authentication System Overview: 

The invention also may include an authentication system 80 shown in 
FIG. 13, which is described in detail later. Once communications to a host 
server have been established, a user logs onto system 10 using authentication 
system 80, whereby the user enters a password and preferably, other 
authentication information such as a universal user name. This information is 
transmitted to a security function resident in the host server where a user is 
authenticated. This provides for confirmation of a user's identity. Of course, 
a user will be denied access to the system where authentication does not 
occur. The security functionality described herein also represents a single 
point of security control for adding or removing a user from the system. 
Preferably, the security function is resident in more than one host server in 
order to provide load balancing and disaster recovery. 

In addition, authentication system 80 also provides access to a user 
entitlement level that contains a list of applications that the user is allowed to 
access. That is, different users are entitled to access different applications 
and features resident in system 10. For example, a sales person would not 
receive alerts regarding investor-mediated transactions and therefore would 
not be allowed access to those applications. Most preferably, there may be a 
separate user entitlement level that associates a user with specific market data 
that he or she would be entitled to access. 

In a preferred embodiment, the authentication system also contains a 
move/add/change (MAC) function that updates the security function with new 
or changed user information. Preferably, the MAC function updates the 
security function with new or revised user names, social security functions, 
unique advisor identification number (where appropriate), identification for 
market data entitlements, and satellite branch identifiers (where appropriate), 
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as well as an e-mail alias and title. The MAC function is a single entry point 
to fully add or remove a user from all required security or distributed systems 
that support platform functionality. 

In addition, authentication system 80 also accesses a user customized 
preference profile resident on the host server. The user preference profile 
allows a user to customize his or her workstation, application interface and 
application settings, e.g., market data preferences. 

By providing the entitlement levels and preference profiles, the 
present invention allows a user to freely move between different workstations 
within system 10 and maintain access and preferences set at a user's own 
workstation, i.e., at their "home" office. Otherwise stated, these features 
provide nomadic capabilities allowing a single sign-on procedure, which can 
be utilized with any workstation 20 of system 10; sometimes known as "free- 
seating". 

D. Workstation: 

A component of the present invention is workstation 20 having a 
stable operating environment and access to integrated finance-related software 
applications. Workstation 20 can be used to review real-time market 
conditions; obtain research, assist financial planning, monitor financial 
activities, enter orders for the execution of security transactions, and conduct 
numerous other financial activities. Workstation 20 is fast, simple to use, and 
is readily adaptable to the needs of the user. As shown in FIG. 2, workstation 
20 includes a central processing unit 22; a video display screen (VDS) 24; 
communication system 29 for communicating between workstation 20 and at 
least one host server; and an application interface (shown in FIGS. 4-12) 
operable for accessing at least one finance-related software application. 

VDS 24 is connected to a color video graphic controller card of 
workstation 20 and provides a mechanism by which financial information can 
be displayed on VDS 24 in graphic form. Preferably, CPU 22 is housed in a 
single stationary or portable unit. CPU 22 of a stationary workstation 20 may 
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comprise an IBM desktop personal computer with 96 megabytes of RAM, a 
350 megahertz INTEL Pentium II processor, a 4.5 gigabyte hard drive, and a 
color video graphic controller card. Preferably, VDS 24 is a 17-inch color 
monitor with a screen resolution of at least 800 x 600 pixels, such as those 
sold by Sony Corp. of America. As an option, a printer 25 may be connected 
to CPU 22. 

A portable workstation may likewise be used in system 10. In one 
embodiment, the portable workstation comprises a laptop computer having at 
least a 166 megahertz INTEL Pentium processor, 64 kilobytes of RAM, and a 
screen resolution of at least 800 x 600 pixels. A portable workstation would 
also include network capabilities such as direct dial for connecting the user to 
the host server. Additionally, a portable workstation may include Internet 
access, and may comprise any web-based browser interface, e.g., Microsoft 
Internet Explorer 4.0 or greater. Details of accessing system 10 via a 
specialized Internet browser interface are provided in co-pending U.S. patent 
application entitled "Browser Interface and Network Based Financial Service 
System," assigned to PaineWebber, Inc. Through messaging technologies, 
other advanced technology interfaces, such as a personal digital assistant, 
advanced cellular technology. Web-based TV and the like may be utilized 
with system 10. 

CPU 22 also includes mechanisms for selectively controlling the 
display of information on VDS 24 as well as devices for entering data into the 
system. Preferably, workstation 20 includes a keyboard 26 and a mouse 28 
for entering information and directing the graphical display on VDS 24. 

Communication system 29 may also access finance-related products 
and other information from the Internet. Typically, communication system 29 
includes a modem having a speed of 28.8 kilobytes per second (Kbps), 
although a modem speed of 56 Kbps is preferred. Of course, high-speed 
connections such as ISDN, cable modems, or digital subscriber lines may be 
used. 
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All of the hardware elements described herein may be readily replaced 
with other existing or later-developed elements that perform similar functions. 
For example, many different types of CPU's could be used instead of the unit 
described above. Likewise, touch screen displays, light pens, track balls, 
keypads, stylus-type input devices or any other input device could be used 
instead of or in addition to keyboard 26, mouse 28, or both. 

Every workstation 20 is programmed with an operating system 

software such as Windows NT® 4.0 from Microsoft Corp. Use of such an 
operating system allows each of the software applications to operate 
independently. Each workstation 20 may also contain a number of software 
applications. For example, workstation 20 may have a suite of applications 
from Microsoft Office® (i.e.. Outlook, Word, Excel, PowerPoint), Norton 
Utilities®, various proprietary software for authenticating user access to the 
workstation, and non-proprietary fmance-related applications. Each 
workstation 20 is also equipped with Internet access and an Internet browser 
such as Microsoft's Internet Explorer®4.0 or greater, or Netscape Navigator. 
Alternatively, these applications may be resident on the host server and 
accessed as necessary. The hardware and software framework described 
herein allows a user at any workstation 20 to access a host server and utilize 
all available resident software applications. In this way, system 10 can be 
used to provide superior financial assistance from remote locations. 

A user controls an individual workstation 20 using the hardware and 
software therein. The commands entered by the user through the keyboard 26, 
or mouse 28, are transmitted to the CPU 22 of workstation 20. As previously 
indicated, a user can access a host server via WAN, LAN or other private 
networks directly, or via the Internet. In the instance where communications 
are established over the Internet or a virtual private network (VPN), all data is 
encrypted. This ensures that account integrity will be maintained. 
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E. Host Server(s): 

In a preferred embodiment, the software applications necessary to 
practice the present invention reside on at least one host server computer. 
However, as is evident from FIG. 1, system 10 preferably includes more than 
one server computer, which, for the purpose of the present disclosure, is 
collectively referred to as "host server" 100. Host server 100 is linked to a 
series of workstations 20 via communication system 40 by wide area networks 
(WAN) 42 and local area networks (LAN) 44. Other private networks or the 
Internet may also be utilized. Communication system 40 may utilize 
conventional token ring connectivity, Ethernet, or other conventional 
communications standards. 

Where workstations 20 are connected to a host server via the Internet, 
VPN or Secure Extranet, connectivity is provided by conventional TCP/IP 
sockets-based protocol. System 10 is preferably implemented in such a way 
as to optimize on infrastructure costs. For example, to reduce recurring 
communication charges, distributed processing domains are established. 
These domains are commonly referred to as 'branches', and may include any 
convenient grouping of workstations 20, servers, etc. It should be recognized, 
however, that these branches do not necessarily correspond to brick-and- 
mortar type branches of the preferred financial service corporation setting. 
System 10 works optimally when data accesses are made by LAN speeds. 
Each branch location has servers 102, which support discrete data intensive 
applications. These servers are updated through a series of real time, 
synchronous and asynchronous communications, data replication or auto 
scheduled batch processes triggered by a central server(s) 110 automated 
scheduling processes. 

In a preferred setting, host server 100 includes a number of branch 
servers 102 and at least one central server 1 10. 

Each branch server 102 may include: (1) network based server(s) 
(NBS) 104 that provide shared file space, proxy caching, e-mail, directory 
services, transactional messaging, printing, software distribution services, 
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etc.; (2) database/database server(s) 106 that provide user entitlements, client 
contact information, balances, positions, transaction history, multiple 
portfolio analysis views of data for a financial adviser to use during client 
contact, etc.; and (3) market data server(s) 108 that provide real time tick by 
tick updates for all entitled exchanges. 

Host server 100 may also preferably include at least one central 
server(s) 110, having an array of other servers and databases, that provide a 
variety of services to workstation 20. Example central server 1 10 components 
include security server 112 (failover), market data server 114 (failover), 
master entitlement database 116, product server(s) 118 and mainframe 121. 
Central server(s) 1 10 may provide services such as user authentication, master 
entitlement services, transactional messaging services, e-mail, directory 
services, mainframe applications (e.g., order and trade entry, bookkeeping, 
client and account data, offered inventory products, etc.), financial service 
corporation proprietary research, marketing and product information, failover 
market data servers, Internet access through a secure firewall 120, e-mail pre 
and post review, e-mail archiving and quarrantining, online client documents 
(e.g., client statements, confirms, IRS form 1099, etc.), all bookkeeping 
reports archieved in storage, client portfolio reporting, managed account 
application for providing advice from a financial adviser to a client, etc. 
Central .server(s) 110 are implemented using load balancing processes and 
auto-failover processes for optimizing availability and capacity on the servers. 
A firewall 120 is also preferably included between communication system 40 
and central server(s) 1 10. Firewall 120 controls access to the Internet 122 and 
Internet investment products (outside vendor products) 124, such as Reuters 
Plus or Quotron by Reuters. 

System 10 also preferably includes high availability failover 
capabilities through central server(s) 110. For instance, if a workstation 20 
detects loss of one or more branch servers 102, connection will be made to a 
comparable central server 1 10, which in turn has the ability to provide for full 
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functionality in the event that one or more of the distributed branch servers 
102 fails. 

A server computer typically comprises from mid-range to advanced 
symmetric multiprocessing (SMP) based servers, such as the 220, 420, 450, 
4500, UEIOK from Sun Microsystems or the RISC6000 F50, 270, SP2, S80 
servers from International Business Machines, utilizing standard operating 
systems AIX/SOLARIS, application software written in C++, Java or a similar 
language. Third party tools such as, Netscape Webserver, WebSphere Web 
and Application Server, Vignette Story Teller, Sybase, DCE/DFS, MQ, CICS 
6000, DB2, etc., may also be used. 

Host server 100 may also provide additional network based services 
such as a printing service for network-based printers, e-mail service, a proxy 
caching service, a distributed file service (DFS), and messaging interfaces for 
storing and forwarding messages between servers utilized inside and outside 
of the system such as compliance alerts, financial advisor alerts and the like. 
In addition, host server 100 receives, stores and forwards updated data on user 
and/or investor data (i.e., reflective of a new user/investor relation) or 
investor security and cash positions to workstations 20. Typically, host server 
100 receives this information pursuant to an automated batch process 
occurring between 8:00 pm and 8:00 am daily. All servers are backed up 
daily. Advantageously, this ensures access to the system 24 hours per day/7 
days per week subject to scheduled maintenance and normal outages. 
Typically, scheduled maintenance occurs between 3:00 am and 3:30 am on 
days when the public exchange is open for trading. 

II. Software 

Referring to FIG. 3, a software hierarchy is shown. At the lowest 
level of the software hierarchy, an operating system software 32 is provided. 
Preferably, operating system software 32 is a Windows NT® 4.0 operating 
system from Microsoft Corp. As well known by those having skill in the art, 
operating system software 32 causes the hardware components to operate in 
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combination with one another by accepting input data, processing input data, 
and producing output data. 

Conventional communications software 34 runs on top of operating 
system 32. This software permits user interaction with the keyboard 26, 
mouse 28 or similar input device of the workstation to control the operation of 
the software and other applications resident on host server 100. It also serves 
as a means for transmitting information between the workstation 20 and host 
server 100. As indicated, in FIG. 3, communications software 34 is also 
linked to the Internet 33. Workstation 20 is equipped with an Internet 
browser such as Microsoft's Internet Explorer. Internet access 33 allows a 
user to conduct searches for investment information, background information, 
breaking news that affects investments and the like. Internet access 33 also 
allows a user to communicate with other users and with clients via e-mail 
packages such as provided by Microsoft Outlook. This provides means to 
access the Internet, send e-mail, search at least one browser-based information 
system, etc. 

Application interface 60 and authentication system 80 are applications 
running on top of operating system software 32. The function and details of 
these applications will be discussed below. 

As shown in FIG. 3, communications software 34 is also preferably 
linked to a browser-based information system 35 that provides proprietary 
product and administration information. Browser-based system 35 enables 
users to conduct searches for ideas and information, provides links to related 
pages (for example, a sales idea, a marketing brochure, etc.) provides 
subscriptions to popular publications and research, access to third-party news, 
information and sales ideas, and allows a user to fill out and forward forms to 
an investment forum outside of the system. 

Another preferable application 38 running on top of communications 
software 34 provides information on numerous variable annuities and mutual 
funds, as well as multiple ways to filter and present information on VDS 24 of 
an individual workstation 20. 
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Another useful application is investor monitoring system or mirror 
system 39, which allows the user to monitor specified investor accounts and 
activity; for example, online investor transactions. In this instance, host 
server 100 is linked via conventional communication channels to a system for 
investor trading such as an online transaction forum, or some other investor 
transaction system such as a telephone-assisted investment forum, and 
receives real-time communications regarding investor-mediated transactions. 
These are, in turn, transmitted to a user's workstation 20 on a real-time basis. 
Because the user is notified of an investor's transaction status, he or she can 
intercede and/or act in a proactive manner; for example, by contacting the 
investor if it appears that the investor needs assistance with a transaction. In 
this way, the user (i.e., financial advisor) can protect an investor outside of 
the system of the present invention from executing deleterious financial 
transactions. The mirror feature also alerts a workstation 20 within the 
system where an investment transaction forum, such as those described above, 
blocks an investor from entering an investor-mediated transaction, or 
alternatively allows an investor to successfully complete a particular 
transaction. Advantageously, the mirror feature also allows the user to enter 
transaction orders through a transaction forum outside of the system of the 
invention on behalf of investors as well as ascertain related commission fees. 

In accordance with the present invention, a preferable software 
application running on top of the communications software is at least one 
finance-related software application 36. Finance-related applications 36 may 
include any number of different software applications. Typically, these 
provide financial planning services as well as conventional office 
applications. 

In a preferred embodiment, two preferred finance-related applications 
36 comprise a real-time market data application and a financial planning 
application. A useful market data application that provides real-time access 
to quotes (e.g., last, bid, ask, NASDAQ, Commodities, etc.), news, and 
historical (e.g., daily, weekly) and intraday charting, is provided by the 
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Reuters Plus server from Reuters. Preferably, the market data application also 
provides dynamic market indicators (i.e., percent up and down, point gainers 
and losers, foreign exchanges, financial futures, most active trades and the 
like), news from popular services and the Dow Jones, market views, a fixed 
income calculator, symbol guide and news and limit alerts as well as the 
ability to customize charting features and web pages. Enhanced features of 
market data application include a customized full quote window 69 (shown in 
FIGS. 4, 6-12), which contains a myriad of market information such as 
proprietary valuation of instrument rating (e.g., buy, sell, hold and indication 
of strength of recommendation), price/earnings (P/E) ratio, from a financial 
service corporation research department, etc. Full quote window 69 
preferably is continuously displayed on VDS 24 as part of application 
interface 60, i.e., it is fully integrated into all application data displayed from 
any component server of host server 100 from which data is retrieved or sent. 
The symbol in the full quote window may also be dynamically linked to the 
symbol highlighted by a users cursor, or mouse 28. Another enhanced feature 
included in the market data application is information from a financial service 
corporation compliance and legal restriction department. 

A financial planning application of finance-related software 
application 36 may allow a user to profile clients and present appropriate 
asset allocations and investment alternatives. This tool displays an investor's 
current asset allocation and suggests an alternative allocation based on risk 
tolerance. It analyzes progress toward goals using established growth rate 
assumptions; allows for customization of asset allocation and change in 
certain variables to assess the impact on an investor's financial situation; and 
it allows for the assessment of the impact of inflation and other factors on 
investment results. The financial planning application can also be used for a 
retirement funding analysis, that is, to analyze the retirement savings and 
income needs of clients who are planning for retirement or who are already 
retired; for an education funding analysis, which address the funding needs 
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for preparatory, undergraduate, and graduate schools; or other similar 
analysis. 

Another useful finance-related application 36 is a financial research 
system such as the proprietary PaineWebber PWER II system. This 
application searches for companies by industry, price, P/E ratio, growth rate 
and rating, utilizing multiple search methods such as by date, author, title, 
industry, subject code, ticker symbol, company name, report type and country. 

Other useful finance-related applications 36 include, but are not 
limited to, systems for the provision of: investor account data, online 
statements, transaction confirmations, IRS 1099's, investor account 
information, portfolio management, TFI and MUNI inventory, security cross 
references, etc. An example investor account data application is QUBE®, a 
PaineWebber contact and portfolio management system, that groups a client's 
account information. 

Conventional office applications such as Microsoft Office, a suite of 
software applications including Word (for -word processing). Excel (a 
spreadsheet functionality), PowerPoint (for presentations) and Outlook 
(enables a user to manage information and send and receive e-mail), as well as 
any other software which enables a financial advisor user to provide financial 
assistance to an investor may also be provided. 

In accordance with the present invention, the system can contain an 
unrestricted number of different software applications. Advantageously, the 
system of the present invention can accommodate any type of finance-related 
software application compatible with other systems applications. 

III. Application Interface 

As illustrated by FIGS. 4-12, where a successful logon has been 
completed, the user is presented with an application interface 60 providing a 
screen display of available applications. This main screen has a toolbar 62 
which allows the user to navigate applications, access the Internet, exit the 
system, print from any application, and the like. Navigation through 
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application interface 60 and, in particular, the software applications, may be 
accomplished by means of toolbar 62, a taskbar 64, or a start button 66 that 
reveals a start menu 68. Start menu 68 cascades as is the standard Windows' 
function. Advantageously, application interface 60 provides a seamless 
transition between the different features afforded by system 10. The 
applications available are determined by a user's entitlement level as will be 
described in more detail relative to authentication system 80. Application 
interface 60 thus acts as a "controlled shell" of applications for a user in that 
only applications that a user is entitled to are provided to him or her. 

Based on the type of financial assistance desired, the user selects the 
appropriate application(s) for use. In accordance with the particular user 
selection, workstation 20 opens/connects to the selected application(s) and the 
user is able to view the application at workstation 20. Broadly stated, once 
the user selects an application of interest, this is transmitted to Workstation 
20. Application data received is from any component server of host server 
100, i.e., branch or central servers, or through firewall 120 from the Internet 
122 (FIG. 1). This data is received by CPU 22 of workstation 20 and 
uploaded into the RAM of workstation 20. The resultant graphical display on 
VDS 24 is controlled by the contents of the RAM in a conventional manner. 
Whenever a new application is activated, the data is transmitted to the user 
workstation 20 in a similar manner. 

As previously mentioned, any number of applications may be run 
concurrently. These applications can be viewed on VDS 24 in a variety of 
permitted formats. Portions that are continuously displayed on VDS 24 are 
toolbar 62 and full quote window 69. With the remaining screen space, the 
user may open or close any application. One application is a market data alert 
window 72 which provides data on market conditions (preferably positioned 
above the taskbar 64). When the market data alert window 72 is closed, a 
symbol 74 (e.g., a triangle with an exclamation point) may appear in a tray 76. 
Tray 76 shares taskbar 64 row position and is adjacent the far right corner of 
taskbar 64. When symbol 74 is activated, e.g., by blinking and/or turning red. 
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the user knows that there are alerts for him or her to view and, at the time, the 
user can open the market data alert window 72. The application window 78, 
located above taskbar 64, adjusts and resizes appropriately. A user may also 
hide taskbar 64. 

The user can display any application of interest in application window 
78. Within application window 78, each application may have either buttons 
or pull down menus or special function keys to be used for further navigation 
and selection of tools and data. 

The outputs from the applications may be printed via an attached 
printer or stored in workstation 20 for later use. Advantageously, output data 
from one application may be used in another subsequent application. This 
allows for the integration of software outputs and inputs in the system 10. 

In accordance with the present invention, once the user obtains 
financial information of interest, he or she can utilize this information to 
advise an investor, conduct exchanges on behalf of an investor, chart an 
investor's investment progress, or the like. In this way, the user can provide 
the investor with timely, proactive financial advice. 

Referring to the details of FIGS. 4-12, an exemplary application 
interface 60 is described. It should be recognized that the particular 
applications disclosed may vary depending on a users entitlement level as will 
be described in more detail below. Furthermore, the particular appearance of 
application interface 60 may vary according to a user's preference profile, 
e.g., each user's toolbar may have buttons in different positions, have 
different applications viewable from start menu 68, etc. It should also be 
recognized that while the applications will be shown as available through start 
menu 68, applications are also selectable from toolbar 62, or, if open, from 
taskbar 64. 

FIG. 4 illustrates calculator applications of the application interface 
60. Examples of calculators available include a commission calculator, a 
covered call calculator and a Microsoft(S) calculator. 
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FIG. 5 illustrates a real-time market data application which provides 
information relating to a particular stock. The market data application 
preferably accesses an outside market data server 108 or 114 (FIG. 1) that 
provides such information, e.g., Quotron by Reuters. Data may also be 
provided from an outside Internet investment product server(s) 124 via the 
Internet 122, 

Where the user wishes to view market data, he or she can click on that 
option on the initial screen (selector 59 shown in FIG. 4) and a market data 
application, similar to that illustrated in FIG. 5, will appear. The user can 
further navigate within the market data application to obtain general 
headlines, and specific information on a security such as a quote, headlines, 
options, time & sales, institutional holders, and the like. Other optional 
information such as a market snapshot of indices, an overview of several 
exchanges (i.e., NYSE, NASDAQ, AMEX), sector quotes, and news 
categories may also be accessed. Likewise, historical charts can be plotted 
for a given security. All market data is updated dynamically. 

Each user that is entitled to market data is assigned an identification 
for access, e.g., a user is a Reuters Plus market data client and has an 
identification for that service. Each user so entitled subscribes to symbols, 
e.g., stock symbols, referenced in their application window 78. This 
subscription occurs from the Reuters Plus client software on workstation 20 to 
the branch market data server 108 (LAN connection speeds). Once connected 
data flows in real time to this user*s application. Changes are indicated on 
screen and the user has the ability to set options such as colors, font sizes, 
audible alerts, blinking, etc. The receiving of the market data updates is 
frequently called "dynamic, real-time, streaming quotes". Using mechanisms 
well known to those with skill in the art, any relevant market data may be 
accessible within this application. Advantageously, the application permits 
customization of any of the displayed information and allows for multiple 
representations on a single screen. For example, a historical chart, news 
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headlines and a customized list of securities can be viewed within a single 
screen. 

It should be noted that FIG. 5 also illustrates application interface 60 
when accessed via an Internet browser 72 such as Microsoft Internet 
Explorer®. In this case, start menu 68 may be reduced in size and provided 
on the Web page accessed. Similarly, toolbar 62 may be reduced in size and 
provided on the Web page accessed, or omitted in lieu of the browser toolbar, 
as shown. As discussed above, details of accessing system 10 via an Internet 
browser interface are provided in the co-pending U.S. patent application 
entitled "Browser Interface and Network Based Financial Service System," 
previously mentioned. 

FIG. 6 illustrates client information applications such as account 
inquiry, householding, online client services, portfolio management, client 
contact and portfolio information, (e.g., Qube® offered by Paine Webber), 
security cross reference, stock records, 1099 system, client database, client 
and account review, client statement system, dividend reinvestment, late pay- 
margin interest, managed account billing, client account balances (i.e., 
MoneyLine), operations problem ticket tracking and reporting system (i.e., 
STAR), and client account cross reference lookup/routing used to maintain 
audit of account number changes (i.e.. Trick Deck). It is from the account 
inquiry selection that a user may access the investor monitoring system 
discussed above. 

. FIG. 7 illustrates opportunities and event applications such as new 
and old corporate actions, a financial adviser view of his or her client account 
balances, maturing holding, commissions revenue history, etc. (called FYIE), 
and an enhanced version of FYIE that provides a financial adviser with 
upgrade recommendations for his clients particular needs in order to swap or 
upgrade security recommendations (i.e., Windows of Opportunity (WOO)). 

FIG. 8 shows available print options such as default printer select, 
print, print preview, print with options. 
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FIG. 9 shows product and investment applications such as a 
proprietary browser-based information network (e.g., InfoNet), MUNI, money 
market funds, mutual funds, taxable fixed income, unit trust, broker order 
entry, investment consulting software, a mutual fund performance and 
5 selection tool (e.g., PaineWebber HySales), portfolio management daily 
download, and syndicate investment executive. 

FIG. 10 illustrates financial research applications such as the 
proprietary PWER and PWER web. 

FIG. 1 1 shows support applications such as account maintenance fee, 
10 aged check system, disbursement confirmation system, fed funds transfer 
system, messages, securities information inquiry, and security glossary 
lookup. 

FIG. 12 shows more general office applications available under the 
heading 'tools'. 

15 Advantageously, all applications which are accessed through interface 

60 may also include a scratchpad application 61 (FIG. 4), which serves to 
maintain focus on accounts or positions by moving information between each 
of the applications utilized by system 10. Hence, scratchpad 61 relieves the 
user from having to continually re-enter data. 

20 

IV. Authentication System 

Referring to FIGS. 13-16, an authentication system 80 of the 
invention is shown in greater detail. Authentication system 80 allows a user 
to access applications according to entitlement and access a user preference 

25 profile regardless of the physical location of workstation 20. 

The system provides an application suite in accordance with a pre- 
determined entitlement level. A user's entitlement level may be determined 
by functional position; for example, financial advisor, sales assistant, 
operations user (e.g., branch bookkeeper), branch office manager, division 

30 manager. Applications can be added or deleted to a user entitlement level as 
necessary. All security updates, new user, applications, and MAC's may 
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require secondary approval before they are processed. It should be recognized 
that while the description will explain operation in terms of a user having a 
single entitlement level, a user may have a number of entitlement levels, e.g., 
one for market data applications and another for other applications. 

Authentication system 80 uses the entitlement profile to build 
application interface 60. A user entitlement profile is stored in an entitlement 
database(s) within system 10 and may include a number of identifications or 
passwords for the user, e.g., universal user name (UUNAME) including, for 
example: parent branch and physical branch wire code (2 digit unique branch 
designation), and a QuotronCg) user identification (QID). A particular 
workstation 20 may also be limited in access, for example, due to physical 
security requirements, and also include a workstation entitlement level stored 
in an entitlement database(s) within system 10. In this case, a user may have 
to use a particular physical workstation 20, i.e., there is no nomadic 
capability. 

A customized user preference profile is also stored in a 
distributed/shared file space (DFS) which is preferably maintained in branch 
server 102 within system 10 and contains customized user settings, e.g., user 
network registry settings for preferencing directories and files, application 
taskbar settings, etc. A user's preference profile will be used to build 
application interface 60 and provide the user with preferences that he or she 
previously set. 

As previously indicated, authentication system 80 also preferably 
includes a move/add/change (MAC) function 93 (FIG. 13), which provides a 
single point of control for all updates to user preference profiles, which in 
turn perform synchronous updates to all required security platforms, 
directories, entitlement and permission data bases, market data entitlements 
(e.g., QUOTRON identification or QID), all e-mail account information for 
simple mail transfer protocol (SMTP) or Microsoft Exchange based e-mail 
services, and all printer account information. MAC function 93 provides for 
distributed administration of client accounts. For example, each branch 
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preferably has a designated MAC staff member who via MAC function 93 has 
the permission update user entitlements for those users in the branch. This 
distributed updating is a significant advantage to the overall operation of the 
platform because local staff can be administered by a local administrator. If 
desired, changes may require secondary approval, for instance, by a branch 
manager, thereby maintaining tight security control of this distributed 
function. 

As shown in FIG. 13, authentication system 80 includes a shim 
module 82, a controller 84, a logon-off control module 86, a shell 
initialization module 88, an application interface launch module 90, a 
password module 92 and MAC function 93. Operation of authentication 
system 80 will be described relative to FIGS. 14-16. It is also noted that 
authentication system 80 will be described relative to a host server 100 having 
multiple components. While authentication system 80 is preferably used in a 
distributed server system, it should be recognized that the servers described 
might be condensed into a single server. 

Referring to FIG. 14, in a first step SI, a user boots a workstation 20, 
i.e., turns on or re-starts a workstation. 

In step S2, a normal boot sequence is interrupted and shim module 82 
is activated to direct operation to logon-off control system 86, i.e., standard 
workstation protocols (e.g., Winlogon) are interrupted. Logon-off control 
system passes through all requests for service to controller 84 and loads shell 
initialization module 88 and application interface launch module 90. In a 
preferred embodiment, shim module 82 replaces a Microsoft® graphical 
identification and authentication dynamic link library (GINA dll) that 
operates with the Winlogon component of Microsoft® Windows NT® with a 
special system GINA dll that acts as controller 84. 

As will become evident, controller 84 (sometimes through modules 
82, 86, 88, 90, 92) governs a number of activities including retrieving a user's 
preference profile; populating application interface 60; finding a user's 
entitlement level; retrieving numerous user identifications (e.g., parent branch 
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wirecode, market data server ID, outside Internet investment product server 
ID and security ID for use by shell initialization module 88); creating a local 
user directory based on a user's preference profile; storing user password(s) in 
a library for applications to retrieve; setting an access control list on a logging 
in user's directory to provide full control; verifying and backing up user 
preference profiles; removing local preference profiles (excepting defaults, 
administrative and guest settings); and notifying a user of password 
expiration. 

At step S3, controller 84 authenticates a user logging on by activating 
password module 92. Password module 92 may access a special security 
server 112 (shown in FIG. 1) to authenticate a user. Upon initialization of 
security server 112, a user will be presented with a dialog for input of a user 
name and password. Presentation of this dialog may also provide for the 
shutdown of workstation 20. Prior to presentation of this dialog, it may be 
necessary for the system to request the user to implement a secure attention 
sequence (SAS), e.g., by pressing ctrl-alt-del. 

Controller 84 may also indicate that a password change is required, 
i.e., it is about to expire based on information from security server 112. At 
this time, the MAC function 93 notifies the user that a password-reset 
operation has been performed and the password must be changed. The 
password may be changed in any conventional way of inputting a new 
password with a confirmation. 

At step S4, controller 84 creates a local user directory, verifies that a 
user preference profile path for the user exists and backs up the user 
preference profile. A user preference profile may exist on a branch server 102 
or another server within system 10, i.e., they may be local or remote. A user 
preference profile includes a number of directories and files of the user, called 
a registry, that are used by system 10 to access a user's information. If 
controller 84 cannot verify a path, authentication system 80 uses a default 
profile. If a registry fails to load for a user, controller 84 may attempt to use 
a user's last known profile, which may be accessible from a back up of the 
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profile. Creating a local user directory on workstation 20 includes mapping 
the directories of workstation 20 to the registry of directories and files for a 
user. 

At step S5, after a user is authenticated, logon-off control 86 executes 
shell-initialization module 88 (hereinafter "shell-init module")- 

At step S6, shell-init module 88 determines whether a previous logon 
did not proceed normally. If this is the case, shell-init module 88 undoes the 
changes made during last logon, i.e., it remembers user preference profile 
changes made during the previous logon. 

At step S7, shell-init module 88 maps server names for user 
information to server IP address and port number. This is accomplished by 
determining the user's mode of computing (e.g., in-home-branch, nomadic-in- 
home-branch, nomadic-in-visiting-branch) by comparing the wire code of the 
workstation 20 the user logs-in with the user's own workstation and parent 
branch server wire code. That is, shell-init module 88 determines where a 
user is by determining whether the user is at his own workstation, a 
workstation within his or her parent branch or a workstation at another 
branch, etc. 

For authentication purposes, shell-init module 88 is directed to a 
cluster of central authentication servers. In particular, user entitlement level 
and user preference profile are attained from the user's branch server 102 or a 
master entitlement server 116 of central server(s) 110. If a user is physically 
in their branch, i.e., at their own workstation or a workstation in their parent 
branch, then shell-init module 88 will point to the branch server 102. 
Otherwise, shell-init module 88 will point to the master entitlement server 
1 16 to attain a user entitlement level and user preference profile. If possible, 
shell-init module 88 will always point to the branch server 102 that the user is 
in either visiting, or the home or parent branch to accommodate best use of 
brandwidth. Shell-init will always point to the branch database server 106 for 
certain services, e.g., financial adviser specific client data, SMTP e-mail, etc. 
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Next, turning to FIG. 15, at step S8, shell-init module 88 connects to 
an entitlement database, located on a server within system 10. Access to user 
entitlement level is based on the user identity input at authentication. Shell- 
init module 88 attempts first to access a user's branch database 106, which 
includes an entitlement database, to determine this information. If unable to 
do so, system 10 has a failover to a central server 110 master entitlement 
database 116. Master entitlement database 116 includes duplicate entitlement 
databases to those in the branches. 

Next at step S9, shell-init module 88 retrieves a particular 
workstation's 20 entitlement level and the user's entitlement level. In 
particular, shell-init module 88 retrieves a list of user identifications for 
accessing applications. These identifications are stored for use by application 
interface 60. 

At step SIO, shell-init module 88 logons onto an appropriate server, 
e.g., branch server 102 or central server 110, and retrieves entitlement data. 
Shell-init module 88 secures registry entries for application interface 60, 
attains a user control list, a batch file for interface system launch module 90, 
and a user's parent branch wire code. 

Next at step Sll, shell-init module 88 maps a workstation's local 
resource drives to a user's directories/files, i.e., distributed file system (DFS), 
by reading from the user's preferences and substituting variables with wire 
codes, branch groups and user names as appropriate. DFS may be located in 
any of host server 100 component servers. 

At step S12, shell-init module 88 activates interface system launch 
module 90, which runs throughout a user's session. Interface system launch 
module 90 builds start menu 68, starts toolbar 62, and handles security ticket 
expiration, user logoff and workstation 20 restorations. With special regard 
to security ticket expiration, launch module 90 continually monitors a security 
time ticket and gives a warning to a user when time is about to expire. This 
functionality is provided by querying password module 92 to determine what 
time allotment a user may have. 
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Next at step SI 3, launch module 90 applies the entitlement data to the 
local workstation registry, i.e., it removes the local preference profile of the 
workstation the user is using. Thereafter, launch module 90 signals controller 
84 to start application interface 60. 

At step SI 4, controller 84 starts application interface 60, and launch 
module 90 populates the start menu 68 with the user's entitled applications 
and starts toolbar 62 and any other ancillary processes. During this time, 
launch module 90 retrieves pathnames of executables to launch from the 
registry. Some applications execute and are monitored, some execute but are 
not monitored, and some execute at logoff. These are monitored by launch 
module 90 so appropriate action may be taken. 

At step SI 5, shown in FIG. 16, launch module 90 activates 
application interface 60, which in turn activates all other applications 
according to a user's entitlement data. 

At step SI 6, the system is used to conduct various finance-related 
activities such as advising investors, conduct exchanges on behalf of an 
investor, chart investment progress, or the like. In this way, the user can 
provide the investor with timely, proactive financial advice. Launch module 
90 monitors a user's time versus a security ticket expiration and notifies a 
user when his/her time is about to expire. The notification may provide a user 
with the ability to extend the ticket, otherwise, the user will be forcibly 
logged off. 

At step SI 7, a user logs-off the system, at which time launch module 
90 restores the workstation registry entries that were in place prior to the 
user's sessions and clears the start menu. 

At step SI 8, launch module 90 passes control back to standard 
workstation protocols, e.g., Winlogon, and controller 84 copies a user's 
preferences from local cache to the location from which it attained them as 
appropriate so a user's changes can be accessed the next time the user logs on. 

The authentication system 80 thus described allows a user to access 
applications according to entitlement and provides a user preference profile 
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for that user regardless of where a workstation 20 is physically located. As 
such, the system 80 allows a user to logon at any workstation 20 and have all 
of the applications, directories/files and preferences available as if they were 
at their own workstation. 

Having thus described the invention in rather full detail, it will be 
recognized that such detail need not be strictly adhered to but that various 
changes and modifications may suggest themselves to one skilled in the art, 
all falling within the scope of the invention, as defined by the subjoined 
claims. 



